Your Name Goes Here

Title goes here 1

Title Goes HereWorkplace Privacy and HIPAA –A Decade-Old Dance

TexasMunicipal HumanResources Association AnnualTexasMunicipal HumanResources Association Annual

Presented By:

Timothy G Verrall

Texas Municipal Human Resources Association Annual Texas Municipal Human Resources Association Annual ConferenceConference

Timothy G. Verrall

Overview

HIPAA RefresherHIPAA Refresher What is it? What is it? Who does it cover? What do you need to do about it? What happens if you don’t?

What’s new in HIPAAWhat’s new in HIPAA--Land?Land? Enforcement update & lessons for employers

On the regulatory horizon On the regulatory horizon PHI breaches: planning ahead

Your Name Goes Here

Title goes here 2

HIPAA Basics

The Health Information Portability and Accountability Act regulates use, disclosure, security, and transmission of “ t t d h lth i f ti ”“protected health information”

Privacy, security, and electronic transactions

HIPAA applies to “covered entities”

Healthcare providers conducting “standard transactions”

Healthcare clearinghouses

Health plans (but not employers acting as such)

HITECH Act (2009) expands to “business associates”

Key Terms

HIPAAHIPAA

HITECHHITECH HITECHHITECH

PHIPHI

Covered EntityCovered Entity

AuthorizationsAuthorizations

Business AssociateBusiness Associate

Notice of Privacy PracticesNotice of Privacy Practices

Privacy Policies and ProceduresPrivacy Policies and Procedures

Your Name Goes Here

Title goes here 3

Key Terms (cont.)

What is a “group health plan”?

HIPAA borrowed existing ERISA concept HIPAA borrowed existing ERISA concept GHP = “employee welfare benefit plan” that provides

specified welfare benefits to employees or their dependents through insurance, reimbursement, or otherwise

Includes both fully-insured and self-funded plansp

Key Terms (cont.)

Not every plan/program providing welfare-type benefits is coveredtype benefits is covered Plans providing “excepted benefits” are excluded

Small (under 50 participants), self-funded, self-administered GHPs are excluded

GHPs maintained by governmental entities are not excluded from coverage

Note: the health insurer is not a GHP but it is a “health plan” and therefore independently covered by HIPAA

Your Name Goes Here

Title goes here 4

HIPAA in a Nutshell

No use or disclosure of PHI except as otherwise permitted by HIPAA or requiredotherwise permitted by HIPAA or required by law

BA’s must comply with the terms of their agreements with covered entities

Both covered entities and BA’s must adopt administrative, technical and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

HIPAA Privacy Basics

Use/disclosure limitations for PHI “TPO” TPO

“Plan administration functions”

Authorized disclosures

Public policy exceptions

“Minimum necessary” only

Administrative safeguards

Your Name Goes Here

Title goes here 5

HIPAA Security Basics

Applies to PHI stored, maintained, transmitted or received via electronic mediatransmitted, or received via electronic media

Applies to both covered entities and BA’s

Requires adoption of tailored safeguards to protect confidentiality, integrity, and availability of ePHI Administrative, technical, and physical

HIPAA Penalties

Inadvertent - $100 $25 000 cap per violation per year $25,000 cap per violation per year

Reasonable Cause - $1,000 $100,000 cap per violation per year

Willful Neglect/Corrected - $10,000 $250,000 cap per violation per year

Willful Neglect/Not Corrected - $50,000u eg ect/ ot Co ected $50,000 $1.5 million cap per violation per year

Criminal penalties also available

Your Name Goes Here

Title goes here 6

Enhanced Enforcement

HITECH formally directs DHHS to investigate complaints and impose penaltiesinvestigate complaints and impose penalties for violations

HIPAA penalties to be “recycled” Restitution

Fund more DHHS enforcement

State AGs are “deputized” to enforce HIPAA violations that threaten or affect state residents

HIPAA and State Laws

HIPAA broadly preempts conflicting state laws pertaining to the use and disclosure oflaws pertaining to the use and disclosure of PHI

But: HIPAA does not preclude states from adopting more stringent protections for PHI

Covered entities and BA’s must comply with the stricter requirements that apply to them Texas has adopted its own medical privacy laws

but none enhance HIPAA requirements for GHPs (yet)

Your Name Goes Here

Title goes here 7

HIPAA and Employers

Employers acting as such are not covered entities or BA’sentities or BA s

Major caveat: their group health plans arecovered entities

The structure of a GHP determines its HIPAA profile

E l t HIPAA li Employers must manage HIPAA compliance for their GHPs

HIPAA Privacy and Your Plan

Plan design and degree of employer involvement drive scope of obligationsinvolvement drive scope of obligations More employer involvement = more compliance

responsibilities

Possibilities – Fully-insured, no PHI

Fully-insured, PHI for plan administration

S lf f d d Self-funded

Your Name Goes Here

Title goes here 8

HIPAA Privacy and Your Plan (cont.)

For plans with limited exposure to PHI, obligations are limited tooobligations are limited too

For plans with access to PHI, there will be more extensive obligations Plan amendments/certification

Administrative safeguards

Notice of privacy practices

HIPAA Security and Your Plan

For most employer health plans, HIPAA security is about documentation andsecurity is about documentation and monitoring Conduct a risk/threat assessment Adopt appropriate security standards for PHI

maintained at the GHP level (if any) Ensure BA’s properly secure the ePHI they

handle

HITECH requirements introduce data breach as a new area of concern

Your Name Goes Here

Title goes here 9

What’s New in HIPAA-Land?

Enforcement Update & Lessons for Enforcement Update & Lessons for Employers

Regulatory Update

PHI Breaches – Preparing Ahead of Time

DHHS Enforcement Outlook

DHHS/OCR intends to move towards affirmative and more punitive enforcementaffirmative and more punitive enforcement

Stated goal to “make examples” of HIPAA violators to encourage voluntary compliance

DHHS want to encourage a “culture of compliance”

Your Name Goes Here

Title goes here 10

DHHS Outlook (cont.)

Most violations involve a lack of compliance due diligencedue diligence

DHHS interest lies in – Robust policies and procedures

Focused and regular training

Thoughtful assessments of risks and vulnerabilities

A li ti f ti t i l t Application of sanctions to violators

Do the little things right

Reported Breaches: What We can Learn

Most involve loss or theft of laptops and other mobile devices Theft rarely targets the PHI on devices

Others just as mundane – misdirected emails, papers left on subway seat

Very few involve hacking or systems-level problems

Benefit plans are not immune (several plan p ( pbreaches affected more than 1,000 individuals)

Breaches tend to involve lack of follow-through on policies, training, and sanctions

Your Name Goes Here

Title goes here 11

One Key Area of Breach Risk

Evaluate the risks to ePHI maintained by Business AssociatesBusiness Associates Maintain ePHI on centralized systems, not

mobile devices

Encrypt to HITECH standards

Ensure ability to remotely wipe devices

Provide adequate training

Enforcement Actions

Formal settlements by DHHS up post-HITECHHITECH

State AGs already using new enforcement powers with DHHS training

More states creating or enhancing privacy requirements for PHI

Potential for class-action litigation in some gstates (e.g., CA)

Your Name Goes Here

Title goes here 12

Enforcement Actions (cont.)

Breach reporting does not inevitably lead to DHHS auditDHHS audit How many individuals affected?

What vulnerabilities were identified?

How effective and decisive was mitigation?

Best Practices for New Era

In 2012, off-the-shelf policies and procedures may not impress DHHSprocedures may not impress DHHS

In 2012, “canned” one-off training is not likely to impress DHHS either

In 2012, sanctions policy needs to have teeth and be enforced in practice

In 2012, compliance self-audits are , pimportant to show awareness of issues and appropriate course corrections

Your Name Goes Here

Title goes here 13

On the Regulatory Horizon

New omnibus HIPAA regulations currently under Office of Management and Budget g gReview Regs will be effective in 2012

Consolidates prior DHHS proposals— BA regulation post-HITECH

Marketing/sale of PHI

Electronic access to PHI

Individual-directed restrictions on use/disclosure

GINA

Enforcement

On the Regulatory Horizon (cont.)

Expected impact on employer plans Update notice of privacy practices if applicable Update notice of privacy practices, if applicable

Revise affected policies and procedures, if applicable

Update BA agreements and related policies

Your Name Goes Here

Title goes here 14

PHI Breaches: Planning Ahead

BA’s have a large role in safeguarding PHI and are often the source of potentialand are often the source of potential breaches

Breach assessment and notification process should be tightened in BA agreements

Don’t settle for general BA promise to comply with HIPAA rules

PHI Breaches – Issues in BA Agreements

Who assesses and with input from whom?

What’s the timing? What s the timing?

Is the BA an “agent” or not?

Does the covered entity have/exercise audit rights to confirm compliance and capabilities?

How is subcontracting handled?

What protection for plan from State law violations?

Does indemnification protection require fault by BA (why?)

Your Name Goes Here

Title goes here 15

Quick Review

HIPAA Privacy, Security Refresher Basics Key Terms Basics, Key Terms

Impact on Employers & Their Plans

Penalties

What’s New in HIPAA-Land? Enforcement & lessons to learn

On the regulatory horizon

PHI breaches: planning ahead

Q ti ?Questions?

Your Name Goes Here

Title goes here 16

Title Goes HereWorkplace Privacy and HIPAA –A Decade-Old Dance

Texas Texas

Municipal Municipal

Presented By:

Timothy G Verrall

Municipal Municipal

Human Human

Resources Resources

Association Association

Annual Annual

ConferenceConference

Timothy G. Verrall